Snooping on sockets/file descriptors

Vimal j.vimal at gmail.com
Thu Mar 31 16:04:47 EDT 2011


Hi Daniel,

>
> How about tcpdump?
>

Thanks for the suggestion.

tcpdump is good, but it doesn't solve all problems.  There are a few reasons:

* TCP packets could arrive out of order
* The data needn't belong to a valid TCP connection
* The app could just discard data (close/flush/etc)

In short, there is a lot of state and complex logic which act on the
packets before it is seen by the application.

Given the complexity (such as wide variations in TCP implementation),
I am not sure if reimplementing them is a good idea, even if it's
possible.

Thanks,
-- 
Vimal



More information about the Kernelnewbies mailing list